Try this
I made this as someone had reported XSS vurnebilities in my S/w . This will strip everything and will not also allow incorrect entries though the forms ( more of a quick fix ) . Youll have to decode appropiately while displaying .
Code:
<?php
/*This will strip html from every variable unless it contains the word text ( introtext ) */
/* also this will conver all ' and " into text due to problems with sqlite and others */
function dbencode($str)
{
$str = addslashes($str);
$str = str_replace(array("\r","\n","\\","'","\""),array("[CR]","[NL]","[ES]","[SQ]","[DQ]"), $str);
return $str;
}
function dbdecode($str)
{
$str = str_replace(array("[CR]","[NL]","[ES]","[SQ]","[DQ]"),array("\r","\n","\\","'","\""), $str);
return stripslashes($str);
}
function check_var($var,$val)
{
if(!defined( "_VALID_LM_ADMIN") && !strstr($var,'text'))
{
$val=utf8_decode($val);
$val=strip_tags($val);
}
if(is_array($val))return $val;
return dbencode($val);
}
foreach($_POST as $postvar => $postval){ ${$postvar} = check_var($postvar,$postval); }
foreach($_GET as $getvar => $getval){ ${$getvar} = check_var($getvar,$getval); }
?>